Snort mailing list archives
Access to the flow's SYN and SYN-ACK packet
From: ndritsos <ndritsos () gmail com>
Date: Wed, 02 Nov 2011 13:04:38 +0200
hello everyone , i need some info about that : Client -------Syn------> server Client <-----Syn-Ack --- Server Client -----Ack---------> Server Client ----PSH-- Data="evil"--> Server my snort rule catch the packet that content "evil" and on the function static int drx_eval(void * P){ SFSnortPacket *mysfsPacket = (SFSsnortPacket *) P; .... ... etc etc //QUESTION: // so here i have full access to the packet that content the data "evil" // in this point , i want to have access to the handshaking packet of this flow, // i want to extract some info from the first SYN and SYN-ACK packet // especially i want the field Options --> Window Scale from the SYN and SYN-ACK packets // someone can help me how to have access on that fields at the time that snort catch the packet //that content the data "evil". //is there any field on the struct SFSnortPacket that provide this info??? } thank you in advance ------------------------------------------------------------------------------ RSA® Conference 2012 Save $700 by Nov 18 Register now! http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Access to the flow's SYN and SYN-ACK packet ndritsos (Nov 02)